In a previous job, amongst many other things I was responsible for the tending of a small herd of HP DL-whatever servers, ~1500 machines all running RHEL. These were considered mission-critical for the business unit. I used various tools for this, one of which was the Integrated Remote Console. This would be used when some hardware failed, which happened surprisingly often; HP quality is not what it was in the good old days of PA-RISC and HP-UX. But I digress.
One day I came into work and found that I had been locked out of various systems and that my name was on a spreadsheet sent to “senior management” because I had allegedly been caught “participating in hacker chatrooms”. I did try to explain to the cybersecurity team that actually this
IRC.EXE was nothing to do with that but they were soooo pleased with themselves for having busted a hacking ring, or so they thought, that they wouldn’t listen. So I went and spoke to the head of the business instead, and told him that I could no longer support his mission-critical platform. Well that got sorted out very quickly. I never got an apology from the cyber guys, but they never bothered me again. Incidentally, the ad for this job had even included the phrase we’re looking for real hackers, using the more traditional meaning of the word
I could tell a dozen stories like that from various points in my career. Cybersecurity people are a very mixed bag. Some are very good indeed and can reason about complex systems and their failure modes in ways that had never even occurred to me before. But some, lacking the background of software or systems engineers, have no context and no real idea about what the systems they are supposedly defending actually do, and what’s normal, legitimate activity and what’s suspicious, so they blunder around like bulls in a china shop. And this latter group, for some unknown reason, see themselves as an elite, aloof from common engineers, which doesn’t help anyone – security is a team sport, and for it to work, everyone must be a player, including engineers and end-users. Understanding how people use the systems day-to-day is very important, unless security seems natural to them, people will try to find workarounds for it, like USB drives, Dropbox, leaving their unencrypted laptop in the car…
Anyway I do have such a background, and guys like me have always done the bread-and-butter of cyber (or infosec as it used to be called) and now I have completed a course to round out my knowledge of this field too:
What do I mean by bread-and-butter? Well, most security work isn’t especially glamorous and exciting. Keeping the hardware and software inventory up to date, staying on top of newly discovered vulnerabilities and newly released patches from vendors, triaging them into change management, ticking off checklists, administering routine updates of AD or similar, maintaining systems that collect and scan logfiles, dealing with false positives (manual investigation) and fine-tuning the triggers, probing our own systems with fuzzers and suchlike, archiving things for compliance… Educating and if necessary enforcing good security practice throughout the organisation. Identifying requirements, evaluating solutions, presenting the findings, same as any other product or service the organisation might use. The occasional forensic analysis if there is some possible indication-of-compromise. Reporting on all of this to “key stakeholders”.
It’s important work and it needs to be done but it’s also, for most of us, on top of our real jobs. The full-time cyber guys are off doing… whatever it is they do all day. I’m kidding. Sort of. I think most outsiders think that that is what the entire field is!
Unfortunately, Microsoft have just announced that they’re retiring the MPP so this will be my last one (I was going to do the IoT track next year). That’s a real pity because MPP was one of the few that taught conceptual and theoretical skills along with hands-on technical, and would thus retain long-term value even when the specific tools used on the course were superseded. That is what attracted me to it in the first place. The new “role based certifications” are purely about operating particular versions of particular products, which is a big step backwards to short-term value only. It was a bit sudden as well, there will be many people who, with other commitments and so on, will struggle to finish by 31st Dec. I spent nearly a year doing the Data Science track, on and off. I did this one quickly because, as I mentioned, alot of it was already familiar!
For posterity’s sake I will preserve the MPP Cybersecurity curriculum here:
- INF246x: Enterprise Security Fundamentals
- INF249x: Threat Detection: Planning for a Secure Enterprise
- INF250x: Planning a Security Incident Response
- INF251x: Powershell Security Best Practices
- INF258x: Windows 10 Security Features
- INF259x: Windows Server 2016 Security Features
- DAT243x: Securing Data in Azure and SQL Server
- INF253x: Managing Identity
- INF260x: Microsoft Azure Security Services
- INF261x: Microsoft Professional Capstone : Cybersecurity
A good mix of general principles and technical specifics, even the particular Windows courses covered material that was applicable to other platforms. I even learned some new things about SQL Server! The capstone involved defending a mixed network of Windows 8.1, Ubuntu 14 and Windows Server 2012 from a simulated attack in real time – with the older platforms alot of the more modern tooling from Windows 10 and 2016 was not available so you had to use your wits. Fun!
I suppose I’ll have to do the same for the other ones as well. I really hope Microsoft will reconsider.
Going forwards, this was an entirely defensive course, and since I now have to look beyond Microsoft for CPD, maybe I’ll try something offensive.
I’ve completed all the modules, just got the capstone to do by end of year. Any tips you could give me for a pass first time around? Any topics I should revise before starting capstone?
You’re cutting it awfully close but the book Blue Team Field Manual was super helpful. Everything you need is in there. Also I used Azure Security Center, if I remember correctly the instructions heavily hint that you should do so. Practice deploying it to a non-Azure host so you can do it quickly.